Jared Rittle and Patrick DeSantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in
Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in the Modicon's use of FTP.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers. Talos previously disclosed a separate round of vulnerabilities in this product in June.
Vulnerability details
Schneider Electric Modicon M580 FTP cleartext authentication vulnerability (TALOS-2019-0827/CVE-2019-6846)
An exploitable information disclosure vulnerability exists in the FTP functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. An attacker can sniff network traffic to exploit this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 mismatched firmware image FTP upgrade denial-of-service vulnerability (TALOS-2019-0825/CVE-2019-6844)
An exploitable denial of service vulnerability exists in the FTP firmware update functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.80. A specially crafted firmware image can cause the device to enter a recoverable fault state, resulting in a stoppage of normal device execution. An attacker can use default credentials to send commands that trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 malformed firmware image FTP upgrade denial-of-service vulnerability (TALOS-2019-0824/CVE-2019-6843)
An exploitable denial-of-service vulnerability exists in the FTP firmware update function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. A specially crafted firmware image can cause the device to enter a recoverable fault state, resulting in a stoppage of normal device execution. An attacker can use default credentials to send commands that trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 FTP incomplete firmware update denial-of-service vulnerability (TALOS-2019-0823/CVE-2019-6842)
An exploitable denial-of-service vulnerability exists in the FTP firmware update function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. A specially crafted set of FTP commands can cause the device to enter a recoverable fault state, resulting in a stoppage of normal device execution. An attacker can use default credentials to send commands that trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 FTP firmware update loader service denial-of-service vulnerability (TALOS-2019-0822/CVE-2019-6841)
An exploitable denial-of-service vulnerability exists in the FTP firmware update service function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. A specially ordered set of FTP commands can cause the FTP loader service to enter a waiting state, resulting in an inability to update device firmware via FTP. An attacker can use default credentials to send commands that trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 UMAS cleartext data transmission vulnerability (TALOS-2019-0826/CVE-2019-6845)
An exploitable information disclosure vulnerability exists in the UMAS functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. An attacker can sniff network traffic to exploit this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 outdated firmware image FTP upgrade denial-of-service vulnerability (TALOS-2019-0847/CVE-2019-6847)
An exploitable denial-of-service vulnerability exists in the FTP firmware update functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.80. An outdated firmware image can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can use default credentials to send commands that trigger this vulnerability. There is no explicit patch available for this vulnerability, but Schneider has released a mitigation.
For more information on this vulnerability, read the complete advisory here.
Schneider Electric Modicon M580 TFTP server information disclosure vulnerability (TALOS-2019-0851/CVE-2019-6851)
An exploitable information disclosure vulnerability exists in the TFTP server functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted TFTP get request can cause a file download, resulting in disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.
For more information on this vulnerability, read the complete advisory here.
Versions affected
Talos tested and confirmed that the Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities. TALOS-2019-0847 affects the same version if it's downgraded to SV2.10.
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 49982, 49983